Behind the Mask of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers
Summary:
Cybereason Security Services has identified a malicious Chrome extension campaign, dubbed "Madgicx Plus," that is actively targeting advertisers on Meta's platforms, Facebook and Instagram. Posing as an AI-driven ad optimization tool, the extension promises to boost ad performance but is actually a sophisticated piece of malware. The campaign's operators have created professionally designed websites, such as madgicx-plus[.]com, to distribute the extension. This malicious tool is designed to steal credentials and hijack business sessions. A static review of the extension's code revealed it requests broad permissions, giving it full access to all websites a user visits. This allows it to inject scripts, read data, and hijack sessions across any domain. The malware also abuses the Declarative Net Request API to bypass Facebook's origin validation, enabling it to steal session tokens and impersonate victims without needing their password credentials. Dynamic analysis confirmed this behavior, showing that after a user connects their Google account, the extension prompts them to link their Facebook account, allowing the threat actor to gain access to both sets of accounts. The campaign's infrastructure, which reuses domains and IP addresses from past malicious operations, suggests it is an evolving and coordinated effort rather than a cluster of unrelated attacks.
Security Officer Comments:
This campaign is an example of threat actors adapting their tactics to target high-value assets. By impersonating a legitimate-sounding ad-tech tool, the attackers exploit organizations’ users’ trust and need for performance optimization in digital marketing endeavors. The sophisticated use of techniques, like abusing Chrome’s Declarative Net Request API to strip HTTP Origin headers and hijack session tokens, highlights a level of complexity in the attack chain that is increasingly common in financially motivated cybercrime. The continuity of infrastructure points to a dedicated threat group’s operations, suggesting this is a persistent threat that will likely continue to evolve. Organizations should treat new and unverified browser extensions with extreme caution, as they have become an effective initial access vector for credential theft and account takeover.
Suggested Corrections:
To reduce the risk of falling victim to malicious browser extensions, users and organizations should adopt a cautious approach:
Verify before installing: Always check the extension’s publisher, permissions, and user feedback. Be wary of extensions with little history or unclear ownership.
Clean up unused extensions: Remove any extensions that are no longer actively used, as dormant ones can still pose risks.
Disable when unnecessary: Consider turning off extensions temporarily if they are not needed for ongoing tasks.
Separate browsing contexts: Use dedicated Chrome profiles for different purposes (e.g., work, banking, personal use) to limit potential exposure.
Inspect and report: For technically capable users, reviewing extension code can uncover suspicious behavior. Report anything unusual to the browser vendor.
Link(s):
https://www.cybereason.com/blog/chrome-extension-campaign-madgicx
Cybereason Security Services has identified a malicious Chrome extension campaign, dubbed "Madgicx Plus," that is actively targeting advertisers on Meta's platforms, Facebook and Instagram. Posing as an AI-driven ad optimization tool, the extension promises to boost ad performance but is actually a sophisticated piece of malware. The campaign's operators have created professionally designed websites, such as madgicx-plus[.]com, to distribute the extension. This malicious tool is designed to steal credentials and hijack business sessions. A static review of the extension's code revealed it requests broad permissions, giving it full access to all websites a user visits. This allows it to inject scripts, read data, and hijack sessions across any domain. The malware also abuses the Declarative Net Request API to bypass Facebook's origin validation, enabling it to steal session tokens and impersonate victims without needing their password credentials. Dynamic analysis confirmed this behavior, showing that after a user connects their Google account, the extension prompts them to link their Facebook account, allowing the threat actor to gain access to both sets of accounts. The campaign's infrastructure, which reuses domains and IP addresses from past malicious operations, suggests it is an evolving and coordinated effort rather than a cluster of unrelated attacks.
Security Officer Comments:
This campaign is an example of threat actors adapting their tactics to target high-value assets. By impersonating a legitimate-sounding ad-tech tool, the attackers exploit organizations’ users’ trust and need for performance optimization in digital marketing endeavors. The sophisticated use of techniques, like abusing Chrome’s Declarative Net Request API to strip HTTP Origin headers and hijack session tokens, highlights a level of complexity in the attack chain that is increasingly common in financially motivated cybercrime. The continuity of infrastructure points to a dedicated threat group’s operations, suggesting this is a persistent threat that will likely continue to evolve. Organizations should treat new and unverified browser extensions with extreme caution, as they have become an effective initial access vector for credential theft and account takeover.
Suggested Corrections:
To reduce the risk of falling victim to malicious browser extensions, users and organizations should adopt a cautious approach:
Verify before installing: Always check the extension’s publisher, permissions, and user feedback. Be wary of extensions with little history or unclear ownership.
Clean up unused extensions: Remove any extensions that are no longer actively used, as dormant ones can still pose risks.
Disable when unnecessary: Consider turning off extensions temporarily if they are not needed for ongoing tasks.
Separate browsing contexts: Use dedicated Chrome profiles for different purposes (e.g., work, banking, personal use) to limit potential exposure.
Inspect and report: For technically capable users, reviewing extension code can uncover suspicious behavior. Report anything unusual to the browser vendor.
Link(s):
https://www.cybereason.com/blog/chrome-extension-campaign-madgicx